Exploring Internet Explorer Forensic Artifacts for Analysis

James Ryder | Modified: November 7th, 2015 | File Forensics

Changes in the technology has brought new path for investigation. With the change, the criminal activities are establishing and web browsers place very crucial role in it. There are number of browsers available such as, IE, Google, Yahoo etc. Though these help in crimes, it leads a path for investigation as well. Now, at the court of Law the evidence collected from the web-browsers has become very important, remarked as the true evidence.

Since the browsers leaves the traces, investigation can proceed very fast and in a precise manner. Internet Explorer is one among the browsers, familiar to all and is the available by default in Windows Operating Systems. The evidence found from these is so important and aids good support in investigation. The history, favorites, cache, cookies etc. are the pieces of information of Internet Explorer forensic artifacts that the agents can get. This section helps the agents in locating those files, thus going deep into the forensics on Internet Explorer.

As said earlier that IE is the default browser, the chances of the usage is also more. Let us dig out the locations one by one.

Before starting up, the point to remember is IE uses either History file format or Cache file format. Cache files are named as index.dat, they stores both cache as well as history.

A history gives the information on those URLs which the users have visited. Where are the histories stored?

History – Internet Explorer Forensic Analysis

Internet Explorer stores daily, weekly as well as monthly history under the history folder. The history helps the users to go to the previously visited sites if it hasn’t bookmarked as well as gives the information of the sites visited.

internet explorer forensics

Located at;

internet explorer forensic analysis

The website details are stored in Temporary Internet files as well. Actually, what is the file and what it stores? Where are these files found?

Temporary Internet Files

This file stores all the web site data or URLs of the web pages you visited. So, for the next time visit on the same page, the browser takes data from this file. This helps in fast browsing of the page and eliminates the waiting of the page from the server. Instead of viewing the history file, agent can visit the ‘Temporary Internet File’ as well for the URLs.

The files are located in;

Vista/Win 7:

internet explorer forensic artifacts

Win 8:

internet explorer forensics

forensic analysis of internet explorer artifacts

Cache

The cache is the place where things downloaded are saved, in case if it is needed again.  There is a limit to the cache regarding the size; users can set the size accordingly. If the size is full, the things not used for a while gets discarded for the new items. Investigators can find the cache file from the ‘Temporary Internet File’ itself.

Vista & Win 7:

loc3

Win 8:

internet explorer forensics

Favorite

The favorites marked can be seen from,

C:\Users\<username>\Favorites

Cookies

Purpose of cookies is to identify the users and to prepare the customized pages.

In Windows 7 the Cookies can be seen in:

internet explorer forensic analysis

In Windows 8:

internet explorer forensic artifacts

3

Note

In-order to access these files of the Internet Explorer, users will have to perform some operations (Apart from finding ‘Favorites’). Unless the following is not done, the files won’t be visible.

  1. Open the C drive and go for the ‘Organize’ at the top.
  2. From the dropdown list, choose ‘Folder and search options’.
  3. Click on the ‘Views’ tab.
  4. Check the ‘Do not show hidden files and folders’ and uncheck the ‘Hide protected OS files’.
  5. Apply the options.

Once when this is done, the files will be available in the above mentioned locations.

Bottom Line

Much information can be digged out of the IE files. Though the web browsers plays role in criminal activities, it helps in tracing the suspects. Hope this information has added some knowledge and might help in the path of investigation. From the path, C:\Users\<username>\Local\Microsoft\Windows\ agents can collect the information they want.